The increasingly hefty fines imposed for breaking the rules set out in the EU’s General Data Protection Regulation (GDPR) suggest that, more than two years after it first came into effect, many organizations have not yet got to grips with the compliance challenges it has created. Barely a month goes by without another high-profile violation hitting the headlines. As of November 2020 the total value of penalties levied for GDPR breaches was a staggering €250,000,000.
And hot on the heels of the GDPR we now have the California Consumer Privacy Act (CCPA) which was introduced in January 2020 and further strengthened in November with the passing of the California Privacy Rights Act (CPRA). While the CCPA/CPRA applies ‘only’ to companies operating in California and handling the data of Californian residents, its impact will be felt globally due to California’s status as the fifth largest economy in the world
Similarly stringent data protection regulations have been introduced in Brazil, Thailand, and South Korea this year, with other countries soon to follow suit. So, the challenge for us all is to put the right compliance and data protection processes and systems in place in each region where our businesses operate and be ready to adapt as the regulations evolve. In the UK, for example, data privacy regulations have been mirroring the GDPR since Brexit, but there is no guarantee that the situation won’t change after the transition period.
Fortunately, enterprise information management (EIM) systems, which are designed to control and organize the huge variety and volume of data flowing through today’s enterprises can make a big difference in tackling data protection and compliance challenges.
In essence they help you to comply with regulations such as the GDPR and CCPA/CPRA by making it easier to manage personal information and apply appropriate privacy and security measures. With granular control over enterprise content, you can ensure that personal data is managed, processed and stored in line with the rules, and more easily adapt your processes as the global data protection landscape evolves.
Bringing order to the chaos of unstructured data
The phenomenal growth of unstructured data flowing into and around most organizations creates a significant compliance challenge and is an area in which an EIM system really comes into its own.
Unlike the data found in traditional databases, unstructured data (as the name suggests) is not structured in a logical, orderly way. Instead it exists in multiple formats, layouts and locations, ranging from documents, images and videos, to voice recordings, chat logs and SMS messages, as well as data records from business applications. And this ‘disorderliness’ makes unstructured data particularly difficult to track and manage.
EIM technology can bring order to the chaos by allowing you to apply business rules to manage how all of this information is captured, classified and processed. And, with information lifecycle management and records management capabilities, you can automate the retention and disposal of personal data in line with the regulations. Automation helps minimize the cost and manual effort involved in managing compliance while reducing human errors.
What to look for in an EIM system to address compliance challenges
Below is a list of some of the key attributes and capabilities to look for when implementing an EIM solution to address data protection challenges, especially when it comes to complying with regulations such as the GDPR and CCPA/CPRA.
1. Identity and access management (IAM)
A vital part of compliance is monitoring and controlling who is accessing personal information, and the starting point for this is effective identity and access management, including strong user authentication. Multi-factor authentication (MFA) is essential, and you can build out from there with biometrics, digital signatures and location awareness (identifying who is accessing information and from which location). EIM systems also allow you to control user access rights at a granular level – for example to individual data items or areas of a document – based on a range of characteristics, such as job role or document sensitivity.
2. Data segregation
For physical security or compliance, many organizations need the ability to hold data in multiple physical locations and on a variety of storage media, with access controlled centrally. For example, data from European subsidiaries may be required to be stored within the EU.
3. Secure storage
Secure tamper-evident and encrypted data storage is another core requirement. Advanced EIM technology takes things a stage further by incorporating blockchain-ready cryptography and auditing mechanisms to prove immutability of any data held on the system – providing conclusive evidence that it has not been tampered with or illegally accessed.
4. Data redaction
During the course of their work, people around your business are likely to need to access documents containing personal data, ranging from address and contact information to highly sensitive details about individual customers or employees, such as financial or health status. An EIM solution should allow you to selectively redact personal information so that it can only be seen where essential, for example in customer service or by human resources teams.
5. Data disguising
There may be situations where you need to anonymize data in order to protect individual confidentiality, for example when aggregating personal information from groups of customers for statistical analysis. In addition, some EIM systems provide the capability to completely pseudonymize data so that, for example, names and other personal identifiers are replaced with a non-identifying equivalent, such as a code, which can be linked back to the individual later if required.
6. Compliance monitoring, auditing and reporting
To demonstrate compliance with data protection regulations, you need the ability to continuously monitor all activities related to personal data. Data access, processing, erasure, and evidence of potential compliance issues or suspicious activities – such as unusual access attempts – should all be tracked and recorded. An EIM system should support the monitoring process and also allow reports and other relevant compliance information to be shared with regulators and auditors.
7. Data minimization and retention management
A new requirement of data protection regulations such as the GDPR is that you should retain only the minimum amount of personal data necessary, and for the shortest possible time. Information lifecycle management is a core EIM capability which allows you to set retention policies to manage data from cradle to grave and ensure that it is always erased automatically or on request, once there is no longer a legitimate purpose for keeping it.
8. Data portability
Both the GDPR and CCPA/CPRA require businesses to supply data in formats that can be transferred easily to third-party suppliers or to individuals who want access to their own data. Any individual moving from one supplier to another can ask for their personal information to be transferred. An EIM system should be able to facilitate this process by allowing you to convert data from different systems around your business into common formats such as PDF, CSV and XML.
9. Managing personal data access requests
The GDPR and CCMA/CPRA give individuals the right to request access to all the personal data an organization holds about them. If your organization receives a request, you must provide the information free of charge within the specified deadline.
As research reveals, fulfilling subject data access requests such as this is a significant challenge, with many businesses either failing to meet the deadline or providing information that is incomplete, poorly formatted or difficult for costumers to understand.
Difficulties pinpointing and collating personal information from the huge range of content stores, systems and data types around the business result in compliance failures.
An EIM system allows you to classify information automatically so that it is easier to locate, applying your own classification criteria alongside basic categories such as data owner, content type, sensitivity level and required retention period. In addition, some EIM systems integrate with analytics engines to assist the classification process, for example by identifying personal data within new sources of information.
Information lifecycle management rules enable customer requests for access, erasure or transfer to be carried out automatically as long as the requests are not in breach of other, conflicting regulatory obligations.
10. Decommissioning legacy content repositories
Legacy content repositories pose a particular problem for compliance. Due to their age they tend to lack the necessary security and privacy features required to adequately protect personal data in line with today's stricter rules. A modern EIM system should enable migration of data from these legacy systems so that the original repository can be retired. This not only assists with compliance, but also eliminates the costs of supporting redundant content management systems.
The vast quantities of data that flow through many organizations today make adhering to stringent data privacy regulations a continuing challenge. The granular control and automation provided by EIM technology can help you to manage the complexity and reduce the cost and effort involved in compliance. The bigger picture, of course, is that this is not simply about following regulations for their own sake. Being seen to be safeguarding personal data and using it responsibly helps to gain customer trust. Ultimately it is an important way to retain customers and build brand loyalty in an increasingly competitive business landscape.
Lynda Kershaw, marketing manager, Macro 4